This Android loophole could have let your apps spy on your web browsing

Android Authority

4 days ago

Edgar Cervantes / Android Authority
TL;DR New research suggests that Meta and Yandex used a loophole in Android to link web browsing data to app identities.
The method bypassed incognito mode, cookie clearing, and other privacy protections.
Researchers say the only sure fix for now is uninstalling the affected apps.
You've long been reassured that using incognito mode or clearing cookies on your Android device will help prevent advertisers from tracking your web activity. However, new research shows that this may not be true, especially if you have certain popular apps installed.
As reported by Ars Technica and disclosed by researchers behind the Local Mess project, both Meta and Russian tech giant Yandex have been found to be using methods that allow web browsing to be linked with app identities on Android. The researchers found that this tracking method exploits the way Android allows browsers and apps to communicate on the same device.
The tracking scripts involved in this controversy are Meta Pixel and Yandex Metrica, which are embedded in millions of websites. While these tools are meant to help site owners measure engagement, the research shows they were being used to pass hidden messages from a browser to apps like Facebook, Instagram, and Yandex Maps using local network connections on your phone. If you were logged into any of those apps, they could pick up a unique ID from your browsing session and link it to your account, even in incognito mode.
Meta began using this technique in late 2024, but Yandex has reportedly been doing so since 2017.
That's a big problem because it circumvents most common privacy protections. It doesn't matter if you clear your cookies, avoid logging into sites, or browse in private mode. As long as the relevant app is installed and quietly running in the background, the company can still learn what websites you're visiting.
The loophole works by sending browser data to localhost — an internal part of your phone's network setup that apps can access. Android doesn't notify users or prompt for permission when this happens.When a website with Meta Pixel or Yandex Metrica loads, it can trigger a connection to those apps via localhost, quietly sending data along the way.
Meta began using this technique in late 2024, but Yandex has reportedly been doing so since 2017. Meta told Ars Technica that it had paused the feature and says it's working with Google to resolve what it describes as a 'potential miscommunication' over how the policies should apply. Google stated that the tracking behavior violates Play Store policies and Android users' privacy expectations, while Yandex hadn't yet responded to the publication's request for comment.
Browsers like Brave and DuckDuckGo already blocked some of this behavior, and Google has started rolling out updates to Chrome that shut down the specific methods used. But the researchers caution that these fixes are temporary. A few tweaks to the code could get around them, unless Android adds more fundamental restrictions on how apps can access local ports.
Meta Pixel and Yandex Metrica are widespread, appearing on almost six million and three million websites, respectively. According to the study, the vast majority of sites with these trackers begin collecting this data as soon as you land on the page, often before any consent pop-up appears.
If all this sounds invasive, that's because most people would agree that it is. According to the research team, the only surefire way to block this kind of Android tracking right now is to uninstall the affected apps entirely.
Got a tip? Talk to us! Email our staff at
Email our staff at news@androidauthority.com . You can stay anonymous or get credit for the info, it's your choice.